PIA from a fixed location in Windows

edited October 2014 in Windows VPN Setup Posts: 11


my name is Shukhrat Nekbaev and I'm a .NET Developer. I'd like to add my 2 cents into well-known problem of PIA with firewall/AV software when it runs from a temp folder location.

Background: I have Agnitum Security Suite installed and as reader may have guessed it doesn't like "malware'ish like" activity of PIA application. What I mean by that is when pia_manager is executed it creates folders in Windows temp directory, one of which contains an unsigned executable (rubyw.exe) and tries to run it. One more time: every time you run pia_manager.exe -> creates a temp folder and runs unsigned exe. For AV software this behaviour is very suspicious, I assume this is a "malware dropper"-like behaviour - http://en.wikipedia.org/wiki/Dropper_(malware). I wanted to run the application from a persistent location, so I could create system/network rules for rubyw.exe (unsigned, duh) explicitly.

Why temp folder is used?
PIA application was developed using Ruby. Skipping the "Why?" (including the "but it runs on Win/Lin/Mac") part we end up with question "How to execute Ruby application on client PC?", to avoid headaches PIA developer(s) decided to use OCRA tool (http://ocra.rubyforge.org/), which basically packages Ruby files into a single executable. When executed it extracts the content to "specific" location and then runs by specifying command line to Ruby interpreter.
Its documentation states: "The 'current working directory' is not changed by OCRA when running your application. You must change to the installation or temporary directory yourself." I don't have experience with Ruby, neither OCRA, but I speculate with it might have been possible to specify the fixed directory. But even so, the executable would extract files into fixed directory and files will be overwritten (maybe there is a switch "Don't overwrite"?) and decent AV software will detect that executable has changed and will start complaining again, but now one should be able to add that fixed path to "Exclusions" list. When I contacted support, I was suggested to white list "rubyw.exe" etc. But then what? I can rename any malware to rubyw.exe and it will be skipped unless AV software will somehow "figure out" that the newly created executable is the same as the one from "yesterday"? :) Anyway, I wanted to keep component and executable control "ON" in my AV software and do not add to "allow all" exclusions the unsigned binary of rubyw.exe.

How the "fixed" location part could be addressed?

Well, not to use the temp folder in the first place and run rubyw.exe with parameters directly. This is what I did by developing a small launcher application. My findings are based on several hours of research.

You will need administrative privileges to perform these operations and .NET Framework 2.0 to run the application:

1) Run PIA application, let it start

2) Now you need to find the temp directory created by PIA, it has a patter like C:\Users\YOUR_USER_NAME\AppData\Local\Temp\ocrXXXX.tmp\
YOUR_USER_NAME <-- this is YOUR username
XXXX <-- randomly generated alphanumeric value, but you should be able to find that folder easily, for example, I had: C:\Users\SHUKHR~1\AppData\Local\Temp\ocrF22C.tmp
So, find this temp folder, it will contain 3 folders: bin, lib and src, keep it open

3) Now open location where PIA is installed, in my case it was installed to "c:\Program Files\pia_manager" (I will refer to this location as "PIA directory" from now on)
Copy those 3 folders (bin, lib and src) to PIA directory

4) Exit PIA application

5) Next rename pia_manager.exe to pia_manager.exe_ so that you have a backup copy

6) Download a zip file from my PC - http://particlefusion.org/pia_manager.zip
Unpack and copy following files (from attachment) into PIA directory:

Yes and that's good that you don't trust any unsigned executables, that is why I've provided the source code for the program, you can download a free version of Visual Studio 2012 and compile it yourself. I've provided the executable only for the most lazy ones :) You can use ILSpy or Reflector to see its content and compare to source code. So, no hidden surprises.

If you have done everything correctly, from now on it should run from PIA directory.

I have tested on my Win8.1 box.
Thank you!

P.S: provided as is, feel free to use the source code for your own needs :)

Post edited by Support on


  • Posts: 4,013
    This thread should be stickied until the client is updated to make it unneeded.
  • Thank you so  very much for this fix.  I wonder WHY PIA could not have given us this fix in their software YEARS ago.  So simple and yet so very brilliant.  TY!!!  Zip file scanned with 5 different programs... virus and malware FREE!!!
  • OK,  I got this to work on my 2 Windows 7 Pro Computers, but it is not working on my 2 Windows XP Pro Computers.  Is there any chance you can make this same fix for Windows XP Pro???   Thank you very much.  Your work is greatly appreciated.

  • Posts: 6
    This really should be implemented...
    I have the same problem with Bitdefender!
    How can we make PIA people understand this is a serious and urgent concern?
  • I will consider this to be made a sticky.
  • I Love this solution so much I want to make sure everyone can get it.
    So I am putting some mirrors up if Step 6 ever Fails.

    This is the Exact File Supplied by Shukhrat Nekbaev in this post.

    Here are the Hashes
    SHA1: AD5F05FE79749F360237475E9D459AB3C0CBA41E
    MD5: ACBA4604DE63D18211C3928BFEDEE19A
    CRC32: CD8C089B

    File: pia_manager.zip   ( 55 kB )

    Here are the Mirrors
    Thanks a lot Shukhrat for figuring this out for us!

    Posts: 795
    @FinDev: Could you check checksums and verify Jason's mirrors?
  • Posts: 4,013
    Those are the correct checksums from FinDev's post.

    The zips are identical.

    Thank you @Jason_Todd.
  • edited April 2014 Posts: 380
    I haven't tried this solution since I don't have the issues that many others have, but I hereby nominate @FinDev for a free one year (or more!) subscription to PIA for the excellent work, or maybe a job offer, or both! >:D<
    Post edited by heyitsme on
  • I have this working perfectly on my 2 Windows 7 Pro Computers, but have failed to get it to work on my 2 Windows XP Pro Computers.  Anyone know how to get them to work on Windows XP???
  • edited April 2014 Posts: 5
    Awesome work @FinDev
    Post edited by whoiskamryn on
  • edited April 2014 Posts: 42
    Working on my two windows7 pro PC's.  Thank you!!!   :)>-
    Post edited by rmay1216 on
  • Posts: 42
     Has anyone seen there DNS leak with this fix?  I have been checking and it has been leaking but when I disconnect and reconnect it doesn't leak.  Or is this from something else??
  • edited May 2014 Posts: 1
    Are the two files, from the download, the only ones to be copied to the pia-manager directory?
    Post edited by Blue_Fire on
  • Posts: 81
    Odd that PIA hasnt said when they will implement a solution for this for their own software.  We now have a working solution, and the code needed for PIA to fix this, yet they havent committed to fixing this as of yet on their end.

    Are they going to tell us that they are working on this, or not?
  • Posts: 42
    Are the two files, from the download, the only ones to be copied to the pia-manager directory?
  • Posts: 106
    I decided to try this out because of the constant problems with Bitdefender.  I used to have two instances of pia_manager and two instances of rubyw in my running processes when running the PIA client.  I now only have one instance of rubyw and no instances of pia_manager.  The client seems to be working as expected so far.  Are the missing processes just part of how this is set up?  I still have the openvpn, pia_tray, and single rubyw in the processes.
  • Posts: 73
    Yes OS34 that's how it should be.
  • Posts: 5
    FinDev: Two big words: THANK YOU
  • Posts: 1
    I went to try and install this because I was having issues with my firewall, but when I looked in the Temp directory I saw 2  ocr****.tmp folders. I turned PIA off and restarted and 2 folders were created again. What do I do to fix this?
  • Posts: 13
    I tried on Win 7 and it works completely fine following the instructions of FinDev.

    Now PIA_Manger runs from the main installation directory and my firewall now works great with the Ruby exe.

    My firewall is the standard Win7 firewall with the Binisoft Windows Firewall Control app.

    f0278f64, did you follow the FinDev instructions as once you move the ocr*.* folders to the PIA installtion folder and replace the pia_manager exe then there should be nothing happening in the temp folder.
  • Next question is how to move PIA installation from default C: drive to another?
  • Posts: 43
    I second a request to see if this functionality can be extended to XP which I continue to run on one or two boxes pending transfer of the meatier apps and licence renewals.

    Is it the case that the only material difference might be the path to temp in Win 7 includes the more elegant 'users' rather than the clomping and fatuous 'Documents and Settings'?  If so can the variability be handled by an .ini or other config plaintext file that the user can tweak?
  • Posts: 1
    this works, but until new PIA client update released, we going nowhere :|
  • Can anyone (especially FinDev) confirm if this will keep working regardless of PIA client updates.
    ie if FinDev compiled exe is independent of PIA update or does the FinDev exe need to be revamped each time PIA update the client.
  • Posts: 4,013
    Can anyone (especially FinDev) confirm if this will keep working regardless of PIA client updates.
    ie if FinDev compiled exe is independent of PIA update or does the FinDev exe need to be revamped each time PIA update the client.
    No one can honestly promise to compensate for changes they cannot know in advance.

    It works for now and costs you nothing. Take it or leave it.
  • The reason for asking is that FinDev did his mod back in January and since then there had been several PIA client updates. Not knowing what FinDev mod actually does apart from allowing to run the Ruby Application from a fixed location, however as we are replacing the newly updated PIA pia_manager.exe with his own mod copy are we losing any functionality or bug-updates that PIA issue into thier new client? Thats all I am asking.

    For such a big company PIA are slow on updates/support/fixes/improvemts with their client. Yes it would be nice if PIA did a fixed location update clinet that was rock solid. Like you say OmniNegro - Take it or leave it.
  • Posts: 4,013
    There surely is a lot that needs work. Please disregard my bad attitude. I tend to spend my time fighting off people who really do not know what they are even talking about. I can see that you do.
  • Cheers, been a programmer since the early days of 1980 when I had to hand build my first computer, a rather snazzy ZX80 from Sinclair. I was 15 then.... My biggest grip is that it can be really hard to given emotive typing. Easier to talk
  • Posts: 1
    I have 7 folders that start with ocr in my Temp folder.  Now what do I do?  Add them all?
Sign In or Register to comment.